----- Original Message ----- > On Tue, 13 Apr 2010, Alyed wrote: > > > Think we need some solution WITHIN the Asterisk core. Roderick A. > > suggested something that looks nice using iptables, some others have > > pointed out using > > RBL or fail2ban, but the best would be to have some generic solution > > not dependant on third party programs. > > I'd strongly disagree with this. (And I was the OP of this thread and > had my home/office network connection taken down due to it) > > But then, I'm an old worldy Unix sysadmin and the philosophy of having > a program do one thing well is still etched into my core... > > http://en.wikipedia.org/wiki/Unix_philosophy > > So get asterisk to do what it does well, then get something else that > does what you need to do just as well - built-in to Linux are the > iptables firewall rules. Use them! They are very effective and do > work. (And you > have a choice!) > > The biggest issue I see is that people are installing Asterisk and > other high-level applications on top of Linux (and other *nix'es) > without the > experience of "sysadmin" - then when something goes wrong they want > the application to fix it rather than apply some basic and pretty > fundamental sysadmin techniques to solve the issue. > > And that means that even having permit= and deny= in sip.conf and > iax.conf, etc. is too much. With proper OS level firewalling they're > simply not needed and do nothing more than add another potential point > of failure and add yet more code to maintain. > > Gordon >
Gordon, Completely agree with what you are saying though I believe the proposal of some sort of shared IP list is a valid one. If you had not brought this to the attention of the list then this discussion would have not taken place. I am guilty in that when a EC2 server attempted to break into my PBX I did not share it with the list. We, large assumption, are all at some point subjected to probing attacks against our Asterisk deployments and I feel it would be great if there was some mechanism where we were able to share those hackers IPs for blocking by one means or another. -- Thanks, Phil -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
